The weekly cybersecurity news roundup will provide you with the latest insights and updates on the ever-evolving landscape of cyber threats and defenses. This week’s updates aim to keep you informed on the latest cybersecurity trends and risks affecting organizations, from data breaches and malware attacks to emerging technologies and best practices in information security.
Romance Scams Cost 70,000 Americans $1.3 Billion in Losses Last Year, According to FTC
The U.S. Federal Trade Commission (FTC) has reported that Americans suffered record losses of $1.3 billion in 2022 due to romance scams, with a median loss of $4,400.
Romance scams, also known as confidence fraud, can cause emotional scars and significant financial losses. Scammers use fake online identities to gain the trust of their victims on dating sites and social media platforms.
Once a victim is lured in, the scammer takes advantage of the victim’s trust to manipulate them into sending money or providing sensitive financial information, which can be used for other types of fraud. In 2022, nearly 70,000 people reported being scammed, and the FTC has warned that these figures represent only a fraction of the actual harm caused by romance scams, as most victims do not report the crime.
The FTC has also disclosed that Facebook (28%) and Instagram (29%) are the most popular platforms for fraudsters to contact their victims. Regarding payment methods, cryptocurrency (34%) and bank wire transfers/payments (27%) accounted for over 60% of the reported losses to romance scams in 2022.
The FBI has warned that victims of romance scams may be recruited as “money mules” and tricked into transferring money on behalf of the fraudsters.
NameCheap’s Email Compromised for Metamask and DHL Phishing Scams
Namecheap suffered an email account breach that resulted in a flood of MetaMask and DHL phishing emails.
The phishing campaign began around 4:30 PM ET and came from SendGrid, an email platform previously used by Namecheap to send renewal notices and marketing emails. The phishing emails impersonated DHL or MetaMask, attempting to steal recipients’ personal information and cryptocurrency wallets.
When recipients complained on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account was breached and that they disabled email through SendGrid while they investigated the issue.
The DHL phishing email pretended to be a bill for a delivery fee required to complete the package delivery. In contrast, the MetaMask phishing email pretended to be a required KYC (Know Your Customer) verification to prevent the wallet from being suspended.
Within the email, there was a marketing link originating from Namecheap which directed the recipient to a fraudulent MetaMask phishing page. The page then prompted the user to enter their ‘Secret Recovery Phrase’ or ‘Private key’.
Namecheap later published a statement that their systems were not breached, but it was an issue at an upstream system they used for email.
Ransomware Attack Shuts Down City of Oakland Systems
The City of Oakland fell victim to a ransomware attack, causing all systems to be taken offline until affected services were secured and restored.
The City’s Information Technology Department collaborates with law enforcement to investigate the attack’s scope and severity, restore impacted services, and secure the network. The City is also developing a response plan to address the issue following industry best practices. Although the identity of the ransomware group behind the attack remains unknown, there have been no ransom demands or data theft reports yet.
The public should anticipate delays from the City while the situation is being monitored, according to the City’s statement. On the other hand, Oakland reporter Jaime Omar Yassin claimed that the City’s under-staffing within its IT department exposed it to ransomware attacks. However, the attack did not affect core services such as 911 dispatch, fire, and emergency resources, which work normally.
As per Emsisoft threat analyst Brett Callow, at least six local US governments were impacted by ransomware this year, with four having stolen data. Furthermore, ransomware attacks across government, educational, and healthcare verticals in the US public sector will have affected more than 200 larger organizations in 2022.
California Medical Group Data Breach Affects 3.3 Million Patients
A ransomware attack has impacted multiple medical groups in the Heritage Provider Network in California, exposing sensitive patient information to cybercriminals.
The affected medical groups are Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group, and Greater Covina Medical. The entities jointly issued a notice of data breach at the beginning of February and submitted a sample letter to the California Attorney General’s office.
The healthcare organizations reported on the U.S. Department of Health and Human Services breach portal that 3,300,638 patients’ data was exposed in the attack. According to the breach notification, the ransomware attack occurred on December 1, 2022, with Regal’s employees reporting technical difficulties the following day.
A third-party cybersecurity expert investigated and determined that the organization’s servers were infected with malware, so a system restoration was initiated. Based on a review of the logs, the investigation found that sensitive data were compromised, including full name, Social Security Number (SSN), date of birth, address, medical diagnosis and treatment, laboratory test results, prescription data, radiology reports, health plan member number, and phone number.
Impacted patients should be cautious of targeted phishing attacks, scams, social engineering, or extortion using stolen data. If you are unsure if an email or text is legitimate, ignore it or contact your doctor to confirm its validity.
Reddit Hacked by Cybercriminals to Steal Source Code and Internal Data
Reddit experienced a cyberattack in which hackers infiltrated internal business systems and stole internal documents and source code.
According to Reddit, the hackers deployed a phishing lure aimed at the company’s employees using a landing page that mimicked its intranet site. The purpose of this site was to capture the employees’ credentials and 2FA tokens. The hackers accessed Reddit’s systems after one employee fell prey to the phishing scam. As a result, they were able to steal data and source code.
In a security incident notice, Reddit explained that “after successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”
After the employee self-reported the incident to Reddit’s security team, the organization began investigating the matter. Limited contact information for current and former employees as well as organizational contacts was found among the stolen data. However, the attackers did not access credit card information, passwords, or ad performance data.
Reddit has not disclosed any further details about the phishing attack but disclosed all the details they know with a blog.
Malicious Google Ads Introduce AWS Phishing Sites into Search Results
A recent phishing campaign aimed at stealing Amazon Web Services (AWS) login credentials is leveraging Google Ads to sneak phishing sites into Google Search.
The malicious ads ranked second in Google search results for “aws,” right behind Amazon’s promoted search result. Researchers at Sentinel Labs discovered the phishing campaign on January 30, 2023. The ads take victims to a blogger website under the attackers’ control, a copy of a legitimate vegan food blog. From there, the victim is automatically redirected to a fake AWS login page that requests their email address and password.
The phishing domains seen by Sentinel Labs include aws1-console-login[.]us and aws1-ec2-console[.]com. The phishing pages disable right clicks, middle mouse buttons, or keyboard shortcuts to prevent users from navigating away from the page. Sentinel Labs has reported the abuse to CloudFlare, which protected the phishing sites. However, the malicious Google Ads remain active even if the sites they link to are no longer online.
Cybercriminals have increasingly used Google Ads for phishing password manager accounts, achieving initial network compromise for ransomware deployment and malware distribution, among others.